summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--doc/helper/conntrackd.conf8
-rw-r--r--src/helpers/Makefile.am5
-rw-r--r--src/helpers/slp.c87
3 files changed, 100 insertions, 0 deletions
diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 4148544..6ffe008 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -96,6 +96,14 @@ Helper {
ExpectTimeout 300
}
}
+ Type slp inet udp {
+ QueueNum 7
+ QueueLen 10240
+ Policy slp {
+ ExpectMax 8
+ ExpectTimeout 16
+ }
+ }
}
#
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
index 51e2841..58c9ad0 100644
--- a/src/helpers/Makefile.am
+++ b/src/helpers/Makefile.am
@@ -8,6 +8,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
ct_helper_tftp.la \
ct_helper_tns.la \
ct_helper_sane.la \
+ ct_helper_slp.la \
ct_helper_ssdp.la
HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
@@ -45,6 +46,10 @@ ct_helper_sane_la_SOURCES = sane.c
ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS)
ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS)
+ct_helper_slp_la_SOURCES = slp.c
+ct_helper_slp_la_LDFLAGS = $(HELPER_LDFLAGS)
+ct_helper_slp_la_CFLAGS = $(HELPER_CFLAGS)
+
ct_helper_ssdp_la_SOURCES = ssdp.c
ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS)
ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS)
diff --git a/src/helpers/slp.c b/src/helpers/slp.c
new file mode 100644
index 0000000..b8339d6
--- /dev/null
+++ b/src/helpers/slp.c
@@ -0,0 +1,87 @@
+/*
+ * This helper creates and expectation to allow unicast replies to multicast
+ * requests (RFC2608 section 6.1). While the destination address of the
+ * outcoming request is known, the reply can come from any unicast address so
+ * that we need to allow replies from any source address. Default expectation]
+ * timeout is set one second longer than default CONFIG_MC_MAX from RFC2608
+ * section 13.
+ *
+ * Example usage:
+ *
+ * nfct add helper slp inet udp
+ * iptables -t raw -A OUTPUT -m addrtype --dst-type MULTICAST \
+ * -p udp --dport 427 -j CT --helper slp
+ * iptables -t raw -A OUTPUT -m addrtype --dst-type BROADCAST \
+ * -p udp --dport 427 -j CT --helper slp
+ * iptables -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED \
+ * -j ACCEPT
+ *
+ * Requires Linux 3.12 or higher. NAT is unsupported.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <linux/netfilter.h>
+
+static int slp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+ struct myct *myct, uint32_t ctinfo)
+{
+ struct nf_expect *exp;
+ int dir = CTINFO2DIR(ctinfo);
+ union nfct_attr_grp_addr saddr;
+ uint16_t sport, dport;
+
+ exp = nfexp_new();
+ if (!exp) {
+ pr_debug("conntrack_slp: failed to allocate expectation\n");
+ return NF_ACCEPT;
+ }
+
+ cthelper_get_addr_src(myct->ct, dir, &saddr);
+ cthelper_get_port_src(myct->ct, dir, &sport);
+ cthelper_get_port_src(myct->ct, !dir, &dport);
+
+ if (cthelper_expect_init(exp,
+ myct->ct,
+ 0 /* class */,
+ NULL /* saddr */,
+ &saddr /* daddr */,
+ IPPROTO_UDP,
+ &dport /* sport */,
+ &sport /* dport */,
+ NF_CT_EXPECT_PERMANENT)) {
+ pr_debug("conntrack_slp: failed to init expectation\n");
+ nfexp_destroy(exp);
+ return NF_ACCEPT;
+ }
+
+ myct->exp = exp;
+ return NF_ACCEPT;
+}
+
+static struct ctd_helper slp_helper = {
+ .name = "slp",
+ .l4proto = IPPROTO_UDP,
+ .priv_data_len = 0,
+ .cb = slp_helper_cb,
+ .policy = {
+ [0] = {
+ .name = "slp",
+ .expect_max = 8,
+ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */
+ },
+ },
+};
+
+static void __attribute__ ((constructor)) slp_init(void)
+{
+ helper_register(&slp_helper);
+}